Dave Mill (Inspire) stood up at NZNOG and clearly said that for them that never happened. Just turn it on. On Tue, Feb 11, 2014 at 11:51 AM, Nathan Ward wrote:

On 11/02/2014, at 11:35 am, Andy Linton wrote:

At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave a talk on DNSSEC and had some interesting statistics about the use of validating resolvers for DNS and DNSSEC.

For DNSSEC to work there are two parts of the equation that need to happen:

1) People need to sign their zones 2) People need to ask the question "is this zone signed" etc.

I want to talk about 2)

Geoff noted that a number of countries that we might not expect to be high on the list of those validating the responses using the DNSSEC technology were way ahead of the rest of the world. I haven't got the exact numbers here - I expect his presentation will appear shortly and there's likely to be a video of it at some stage at http://www.r2.co.nz/20140130/ - but from memory the global average is about 7% usage of validating resolvers.

New Zealand is a dismal <2% and I'd like to challenge you all to do something about that. And we're way behind the Australians....

Geoff pointed out that the high rate elsewhere is due to a large degree to the number of people using Google's Public DNS servers and while that looks attractive and an easy way to improve those numbers I'd ask you not to go down that path. You need to do this yourself (or at least as close as possible to the end user). If you use someone else's resolver then your traffic can be intercepted en route to the validating resolver => man in the middle attack => game over.

And of course, handing this data over to a centralised collection agent makes the work of anyone who wants to snoop on you much, much easier.

It's not about Google's servers - this applies equally to public servers run by anyone. DNSSEC validation is not real validation unless it's performed end to end or at least as close as possible to that. A number of NZ ISPs provide this service to their customers with their in house resolvers and those of you who don't should really be looking at when you will do this.

Those people who have signed their zones are making assertions about how they want their DNS data to be interpreted. They're saying that unless you validate their DNS data they really don't want you to connect to them. You should be taking notice of this. But then maybe you just ignore broken certs on websites etc.

So what should you do?

End user =======

Check here - http://dnssec.vs.uni-due.de/ Or use - https://www.dnssec-validator.cz/

Ask your ISP/admins to fix this.

ISPs/Enterprise ============

If you're running a resolver for customers do the work to get it validating, please....

Plenty of info out there on how to do this for Bind and Unbound and I'm no Windows expert but this looks straightforward:

Windows: http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSE...

I've been talking about this with one of my customers recently, and there's a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don't work' while the other ISP does.

Is there public data available re. this? Does it likely vary much for NZ? I think unbound can be configured to only log when validation fails rather than actually acting on it in a negative way, so I imagine it's not hard to figure out.. thinking out loud here we'd probably want some full query logging to get some useful stats - i.e. this zone that breaks is looked at by x% of customers, and it is y% of total unique zones queried, etc. Thinking out loud here.

Good chance that all the problems around this have disappeared these days, but, it'd be interesting to find out.

(note, I haven't Googled yet :)

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

On Tue, 11 Feb 2014 12:25:10 +1300, Glen Eustace wrote:

perhaps Michael from Unleash might comment as well as unleash.net.nz is signed as well

No problems so far that I can point to as a result of unleash.net.nz being signed. We've been monitoring it and haven't had any oopses with the signing yet that we've spotted (which is not to say that there haven't been a few unfortunate cases more generally, dns-oarc has a few good ones documented). I've had some problems with my personal empire (hotplate.co.nz) but all I can really say of that is "don't run your signing infrastructure on a netbook at your house with no backups". The worst fallout from that was ~ 1 hour where my mailman lists wouldn't talk to Gmail while I replaced DS records, re-signed and went back to ignoring it :) I did have to wait until just as the ZSK was expiring to try minimise the impact of this. Obviously the unleash.net.nz signing is being carried out on slightly more appropriate kit 8^) -- Michael

10,000+ customers resolving with DNSSEC enabled caches and we have noticed no issues with it. The only thing we had to do is disable the DNS sec error logging as it was a lot of noise. category dnssec { null; }; dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; Tony, Flip -----Original Message----- From: Dean Pemberton Sent: Tuesday, February 11, 2014 12:20 PM To: Nathan Ward Cc: NZNOG List Subject: Re: [nznog] Validating resolvers for DNS and DNSSEC Dave Mill (Inspire) stood up at NZNOG and clearly said that for them that never happened. Just turn it on. On Tue, Feb 11, 2014 at 11:51 AM, Nathan Ward wrote:

On 11/02/2014, at 11:35 am, Andy Linton wrote:

At the recent NZNOG meeting in Nelson, Geoff Huston from APNIC gave a talk on DNSSEC and had some interesting statistics about the use of validating resolvers for DNS and DNSSEC.

For DNSSEC to work there are two parts of the equation that need to happen:

1) People need to sign their zones 2) People need to ask the question "is this zone signed" etc.

I want to talk about 2)

Geoff noted that a number of countries that we might not expect to be high on the list of those validating the responses using the DNSSEC technology were way ahead of the rest of the world. I haven't got the exact numbers here - I expect his presentation will appear shortly and there's likely to be a video of it at some stage at http://www.r2.co.nz/20140130/ - but from memory the global average is about 7% usage of validating resolvers.

New Zealand is a dismal <2% and I'd like to challenge you all to do something about that. And we're way behind the Australians....

Geoff pointed out that the high rate elsewhere is due to a large degree to the number of people using Google's Public DNS servers and while that looks attractive and an easy way to improve those numbers I'd ask you not to go down that path. You need to do this yourself (or at least as close as possible to the end user). If you use someone else's resolver then your traffic can be intercepted en route to the validating resolver => man in the middle attack => game over.

And of course, handing this data over to a centralised collection agent makes the work of anyone who wants to snoop on you much, much easier.

It's not about Google's servers - this applies equally to public servers run by anyone. DNSSEC validation is not real validation unless it's performed end to end or at least as close as possible to that. A number of NZ ISPs provide this service to their customers with their in house resolvers and those of you who don't should really be looking at when you will do this.

Those people who have signed their zones are making assertions about how they want their DNS data to be interpreted. They're saying that unless you validate their DNS data they really don't want you to connect to them. You should be taking notice of this. But then maybe you just ignore broken certs on websites etc.

So what should you do?

End user =======

Check here - http://dnssec.vs.uni-due.de/ Or use - https://www.dnssec-validator.cz/

Ask your ISP/admins to fix this.

ISPs/Enterprise ============

If you're running a resolver for customers do the work to get it validating, please....

Plenty of info out there on how to do this for Bind and Unbound and I'm no Windows expert but this looks straightforward:

Windows: http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSE...

I've been talking about this with one of my customers recently, and there's a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don't work' while the other ISP does.

Is there public data available re. this? Does it likely vary much for NZ? I think unbound can be configured to only log when validation fails rather than actually acting on it in a negative way, so I imagine it's not hard to figure out.. thinking out loud here we'd probably want some full query logging to get some useful stats - i.e. this zone that breaks is looked at by x% of customers, and it is y% of total unique zones queried, etc. Thinking out loud here.

Good chance that all the problems around this have disappeared these days, but, it'd be interesting to find out.

(note, I haven't Googled yet :)

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Here you go - Feb 11 14:24:31 ns2 named[5927]: validating @0x7f1d48226850: fhr.data.mozilla.com A: no valid signature found Feb 11 14:24:31 ns2 named[5927]: validating @0x7f1d4a56b910: gks3ve6q998vi7v3llirpk67eh1rpm81.mozilla.com NSEC3: no valid signature found Feb 11 14:25:09 ns2 named[5927]: validating @0x7f1d481cbce0: hollywoodreporter.myshopify.com A: no valid signature found Feb 11 14:25:11 ns2 named[5927]: validating @0x7f1d507226f0: valetmag.myshopify.com A: no valid signature found Feb 11 14:25:16 ns2 named[5927]: validating @0x7f1d402b2c10: furniture-zone.myshopify.com A: no valid signature found Feb 11 14:25:27 ns2 named[5927]: validating @0x7f1d48226850: preferences-mgr.truste.com A: no valid signature found Feb 11 14:25:38 ns2 named[5927]: validating @0x7f1d48226850: beastmodecoaching.myshopify.com A: no valid signature found Feb 11 14:25:38 ns2 named[5927]: validating @0x7f1d429a96d0: legendsofaesthetics.myshopify.com A: no valid signature found -----Original Message----- From: Nathan Ward Sent: Tuesday, February 11, 2014 1:44 PM To: Tony Wicks Cc: NZNOG List Subject: Re: [nznog] Validating resolvers for DNS and DNSSEC On 11/02/2014, at 1:21 pm, Tony Wicks wrote:

10,000+ customers resolving with DNSSEC enabled caches and we have noticed no issues with it. The only thing we had to do is disable the DNS sec error logging as it was a lot of noise.

category dnssec { null; };

dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;

Error logging isn’t something I’d want to ignore. What sort of errors were you seeing? — Nathan Ward

On 2014-02-11 11:51 , Nathan Ward wrote:

On 11/02/2014, at 11:35 am, Andy Linton wrote:

...

[Validated your DNSSEC]

I’ve been talking about this with one of my customers recently, and there’s a concern by some that turning on validation will trip false positives - which for an ISP is a bad thing to do - all the customer sees is that you 'don’t work' while the other ISP does.

I too have customers like that, who decided "not validating" was safer. So I asked Geoff about bad signing situations. He pointed out that particularly since Google have been validating (for 8.8.8.8) for 6+ months, any bad signing situations either tend not to persist for very long (ie, it's not just broken for you!), or are unimportant (ie, basically no one noticed so it never got fixed). IIRC Geoff said that someone at (I think) University of Cambridge was keeping stats on broken DNSSEC and how long it persisted, but I haven't tracked down the reference. I came away from that discussion with Geoff, and comments from Inspire/Unleash/etc with the impression that just turning on DNSSEC validation is pretty safe these days, and ought to be the default. It's certainly on my "to follow up early this year" list. Ewen

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/02/14 12:15, Michael Fincham wrote:

On Tue, 11 Feb 2014 11:35:08 +1300, Andy Linton wrote:

...

If you're running a resolver for customers do the work to get it validating, please....

I'm happy to volunteer some time in my personal capacity for anyone who needs a hand getting unbound up and running with validation - or for that matter PowerDNS for live signing.

unbound especially is very easy to get running & signing :)

For those not present in NZNOG14, I gave a lightning talk about how easy was to setup unbound on a Raspberry PI to serve the NZNOG wireless network. We could have get away with it unnoticed with a more powerful box, the RPi couldn't handle the load properly and timed out on some users under heavy load (lunch time). Also, I gave a tutorial about OpenDNSSEC to teach how to do the signing. If anyone needs help with that, let us know. Cheers,

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

- -- Sebastian Castro Technical Research Manager .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlL5X9EACgkQWyqRrHcQWTnwKgCfY/49SgaE8pbJ4m2AchLQzA37 LxEAn2VqCvw0aZMrmWkhH9I6ioteQqJa =zkrV -----END PGP SIGNATURE-----